Introduction to SSL Network Extender (SNX)

SSL Network Extender is a thin client that remote users use to access internal resources that the administrator defines as applications.

SNX can work with the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. or the IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. Software Blade.

The IPsec VPN Software Blade and the Mobile Access Software Blade require different licenses.

Workflow:

  1. The administrator configures a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. as an SSL-enabled web server that supports Remote Access clients.

  2. The remote user downloads the SNX client from the Security Gateway.

  3. The remote user can access internal resources.

    In a Mobile Access Software Blade configuration, the remote user can access configured applications.

Comparison of SNX supported features with the Mobile Access Software Blade and the IPsec VPN Software Blade

Type of SNX

End User Experience

Supported Access Control Rules

Supported Operating Systems

SNX with Mobile Access Software Blade

The Mobile Access Portal downloads SNX from the Security Gateway automatically.

Supports Access Control rules in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. based on:

  • User groups

  • User roles

  • Networks

  • Subnets

  • IP addresses

  • Windows

  • Linux

  • macOS

Supported only with Mobile Access Portal.

CLI is not supported.

SNX with Remote Access VPN Software Blade

Users download SNX from a Security Gateway portal.

Supports Access Control rules in SmartConsole based on:

  • Networks

  • Subnets

  • IP addresses

  • Linux (CLI only)

  • macOS (CLI only)

  • Windows (IPsec VPN portal - works only with Internet Explorer)

If the Mobile Access Software Blade is enabled on the Security Gateway:

If the Mobile Access Software Blade is disabled and the IPsec VPN Software Blade is enabled on the Security Gateway:

  • SNX works through the IPsec VPN Software Blade.

  • You must configure the Access Control Policy in SmartConsole.

Important - If you configured the SSL Network Extender settings in the Security Gateway for the IPsec VPN Software Blade, and then you enabled the Mobile Access Software Blade, then you must reconfigure the required rules in the Mobile Access policy.The SSL Network Extender rules in the Access Control Policy do not apply anymore.

SNX Modes for Mobile Access Portal on an Endpoint Computer with Windows OS

SNX for Mobile Access supports Network Mode and Application Mode.

Category

Network Mode

Application Mode

Supported application types

All Native IP-based applications and web applications

Most Native IP-based applications and web applications are supported.

OPSEC-certified applications are tested and verified

UDP-based applications are not supported.

Supported web browsers on the client computer

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Safari

  • Google Chrome

  • Mozilla Firefox

  • Microsoft Edge

  • Safari

Required privileges on the client computer

Administrator privileges required on the client computer

Administrator privileges not required on the client computer

How remote users open the application

Remote users can open applications in the Mobile Access portal or on the desktop of the endpoint computer.

Remote users can open applications only in the Mobile Access Portal.

An application that is not supported in Application Mode does not appear in the Mobile Access Portal.

Note - Some Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. applications do not scan email when Microsoft Outlook is launched with SNX Application Mode because the mail is encrypted with SSL before the scanning begins.

Downloading SNX for Mobile Access or Remote Access VPN

Software Blade

Endpoint Computer Operating System

How to Download SNX

Mobile Access

Windows, Linux, or macOS

The endpoint computer automatically downloads SNX as a desktop application from the Mobile Access Portal.

Remote Access VPN

Windows

The endpoint computer automatically downloads SNX as a desktop application from the Remote Access VPN portal.

Remote Access VPN

Linux or macOS

You must download SNX manually as a command line application.

See Basic Configuration of SSL Network Extender for Remote Access VPN.

Commonly Used Concepts

These are commonly used concepts that you encounter when working with the SSL Network Extender: